rpm package
suse/nodejs18&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP4
pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-23936 | Med | 6.5 | < 18.14.2-150400.9.6.2 | 18.14.2-150400.9.6.2 | Feb 16, 2023 | Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` str | |
| CVE-2022-25881 | Med | 5.3 | < 18.16.1-150400.9.9.1 | 18.16.1-150400.9.9.1 | Jan 31, 2023 | This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. | |
| CVE-2022-43548 | Hig | 8.1 | < 18.13.0-150400.9.3.1 | 18.13.0-150400.9.3.1 | Dec 5, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing | |
| CVE-2022-35256 | Med | 6.5 | < 18.13.0-150400.9.3.1 | 18.13.0-150400.9.3.1 | Dec 5, 2022 | The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. | |
| CVE-2022-35255 | Cri | 9.1 | < 18.13.0-150400.9.3.1 | 18.13.0-150400.9.3.1 | Dec 5, 2022 | A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() alwa | |
| CVE-2022-32215 | Med | 6.5 | < 18.13.0-150400.9.3.1 | 18.13.0-150400.9.3.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). | |
| CVE-2022-32214 | Med | 6.5 | < 18.13.0-150400.9.3.1 | 18.13.0-150400.9.3.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). | |
| CVE-2022-32213 | Med | 6.5 | < 18.13.0-150400.9.3.1 | 18.13.0-150400.9.3.1 | Jul 14, 2022 | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | |
| CVE-2022-32212 | Hig | 8.1 | < 18.13.0-150400.9.3.1 | 18.13.0-150400.9.3.1 | Jul 14, 2022 | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding |
- affected < 18.14.2-150400.9.6.2fixed 18.14.2-150400.9.6.2
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` str
- affected < 18.16.1-150400.9.9.1fixed 18.16.1-150400.9.9.1
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
- affected < 18.13.0-150400.9.3.1fixed 18.13.0-150400.9.3.1
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing
- affected < 18.13.0-150400.9.3.1fixed 18.13.0-150400.9.3.1
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
- affected < 18.13.0-150400.9.3.1fixed 18.13.0-150400.9.3.1
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() alwa
- affected < 18.13.0-150400.9.3.1fixed 18.13.0-150400.9.3.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
- affected < 18.13.0-150400.9.3.1fixed 18.13.0-150400.9.3.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
- affected < 18.13.0-150400.9.3.1fixed 18.13.0-150400.9.3.1
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
- affected < 18.13.0-150400.9.3.1fixed 18.13.0-150400.9.3.1
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding
Page 2 of 2